Articles

AFP 2016: Finance Pros Wary of DDoS Attacks, BEC Scams

By Andrew Deichler

Published: 10/24/2016

Orlando, Fla. – Financial executives weighed in on some of the top security threats they are facing Monday morning at the 2016 AFP Annual Conference. Once again, last week’s massive distributed denial of service (DDoS) attack on Dyn was a key topic of discussion.

Moderator Peter Wheeler, CCM, senior vice president with KeyBank, noted that this attack is particularly unique because of the way in which it occurred—through hacking and exploiting household devices that are connected to the internet (the Internet of Things). “One of the biggest internet switches in the world basically got shut down on Friday because of a distributed denial of service attack,” he said. “I’m sure that my refrigerator and my DVR were part of that attack. There are so many smart devices out there that can be hijacked for the purposes of just sending signals into the servers. They hijacked everything that had access to the internet and started pinging these servers until it overloaded the system.”

But why does shutting the system down matter for financial professionals? “How many businesses lost an entire day’s worth of work and sales on Friday because their websites went down?” Wheeler asked. “In the internet economy, you don’t have brick-and-mortar anymore. If you’re selling stuff through the internet and all of a sudden the internet doesn’t work—you’re not selling anything anymore.”

Responding to BEC scams

Dyan Cotton, CFO of International Forest Products Corporation, explained that her organization had been the target of a business email compromise (BEC) scam. Because IFP does business all around the world, much of the correspondence with its suppliers is electronic. The forest product company had received an email that appeared to be from one of its suppliers that appeared to be legitimate, with new banking instructions. The only indication that it was fake was one letter missing in the email address. “You can understand how, to the naked eye, you could just think that it’s real. When you’re talking about the volume of emails in a day—hundreds of emails—no one is going to pick up on this,” she said.

Ironically, the actual supplier had emailed IFP two days before the incident, notifying the company that someone had hacked their email account and had been impersonating them—but that email got caught in the spam filter. “The problem was some of the keywords in the email,” Cotton explained.

The situation was a major wake-up call for IFP. Given that the fraud happened through email, the company resolved to develop controls that didn’t involve electronic communications. “We decided to add a verbal confirmation with a known contact at our supplier,” Cotton said. “So any time we have a new supplier or somebody that changes bank instructions, we call our contact and verify that the information is accurate.”

Additionally, IFP made it a rule to confirm bank instructions with any and all vendors that it had not paid in the prior six months. “We do this just to make sure the information is accurate,” Cotton said.

The only drawback to this process is that it can really slow down a payment. “In a lot of what we do, the payments need to be made immediately—maybe within 24 hours or less,” Cotton said. “So if somebody has to call Brazil to find out if the banking instructions are accurate, it’s going to delay the payment instructions and hold up shipments. But nobody really wants their name on a loss like this. So while no one likes the extra step in the process, they’re adhering to it.”

Thwarting check fraud

Kasie Spence, corporate director, cash management for amusement park operator Cedar Fair Entertainment Company, explained to attendees that her company processes over 40,000 W-2s annually and hires from 40-plus countries, yet only has five people processing payroll. For years, many of Cedar Fair’s employees were paid via check, which led to substantial fraud. One of the biggest problems was employees depositing checks twice. Employees would first deposit checks by phone via remote deposit, and later take them to check cashing services.

This has caused problems for both Cedar Fair and its good employees who aren’t doing anything wrong. “We catch these; we see the second presentation and stop it. But the second presentation is usually with a check guarantee service, and they’re always calling us and asking to be made whole. We explain that it’s fraud and they’re not going to get our money, and then they put us on a block list. So then when our other employees go to get their checks cashed honestly, they’re on the block list and can’t,” Spence explained.

Ultimately, Cedar Fair realized it had to move away from checks. The company operates in several states where it can’t mandate direct deposit, so it had to come up with a different solution. “So we went paperless. We told people, if you don’t have a bank account, we have a paycard option,” she explained. “We had a very good program that we found after a decade of research that doesn’t charge fees and allows employees to get cash from ATMs for free. So it’s a benefit to the employee.”

The only pushback came from the payroll department. However, that changed quickly once those employees realized how much time they were saving. “They were spending three days every pay cycle, printing, packaging and shipping checks,” she said. “It went down to three hours. So they became my best advocate for this.”

See What's in Store for You

AFP 2018 is where treasury and finance pros meet to refuel their passion for work and find the practical knowledge to advance in their career.